Company

News

Investors

The GDPR & HubSpot

Here’s what we’re doing to help you comply.

The GDPR enforcement deadline has come and gone, and HubSpot's got a ton of new functionality to enable easier compliance. All functionality detailed on this page is now live to all HubSpot customers. Want to get the full scoop on the new features? Check out our GDPR Playbook by clicking the button to the right.

Whether you’re B2B or B2C, big or small, you’ve probably heard about the EU’s new regulation, the General Data Protection Regulation (GDPR). It’s a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens.

At HubSpot, our entire organization is hard at work ensuring that our own practices are GDPR-compliant. But equally important to us is helping you, our partners and customers, understand what the GDPR means for your businesses and build compliant processes of your own.

A big piece of that is ensuring that the HubSpot platform sets you up for GDPR compliance.

We are fully committed to providing features in HubSpot that enable easier compliance with the GDPR.

This page represents our product roadmap --- all functionality on this page is now live, and detailed in our GDPR playbook.

DISCLAIMER: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how HubSpot has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding. The products, services, and other capabilities described herein are not suitable for all situations and may have restricted availability.

Product Roadmap

What we're building and when

Below, find a detailed list of the features we've built to help you be compliant. Every feature on this page is now completed, and live to all HubSpot customers

But first, a quick primer on the legalese associated with the GDPR.

Let’s say that Ana is a contact of yours and an EU citizen. She's called the "data subject," and your company (let's call you Acme Corp.) is called the "controller" of that data. If you're a HubSpot customer, then HubSpot acts as the "processor" of Ana's data on behalf of Acme. With the introduction of the GDPR, data subjects like Ana are given an enhanced set of rights, and controllers and processors like Acme Corp and HubSpot, respectively, an enhanced set of regulations.

What it Means

What HubSpot is Building

Lawful basis of processing

What it Means

You need to have a legal reason to use Ana’s data. That reason could be consent (she opted in) with notice (you told her what she was opting into), performance of a contract (e.g. she’s your customer and you want to send her a bill), or what the GDPR calls “legitimate interest” (e.g. she’s a customer, and you want to send her products related to what she currently has).

You need the ability to track that reason (also known as “lawful basis”) for a given contact.

What HubSpot is Building

We will be adding a brand new multiselect property to track lawful basis. The property will be editable manually or via automation. For example, you might configure an automated workflow to set the lawful basis property when Ana signs a contract.

In addition, you’ll be able to track and audit the grant of lawful basis using the property history for that new property.

In order for Ana to grant consent under the GDPR, a few things need to happen:

• She needs to be told what she’s opting into. That’s called “notice.”

• She needs to affirmatively opt-in (pre-checked checkboxes aren’t valid). Her filling out a form alone cannot implicitly opt her into everything your company sends.

• The consent needs to be granular, meaning it needs to cover the various ways you process and use Ana’s personal data (e.g. marketing email or sales calls). You must log auditable evidence of what Ana consented to, what she was told (notice), and when she consented.

What HubSpot is Building

In HubSpot, we're adding features to make collecting, tracking, and managing consent in a GDPR-compliant way as straightforward as possible.

Three of the most common ways that HubSpot customers acquire new customers are through Forms (including Lead Flows), Messages (aka Conversations), and Meetings. These are different channels through which Ana might initially engage with Acme. In each of these tools, you’ll be able to provide proper notice to Ana before she provides information to you (using text boxes on forms), and to collect the appropriate consent when she’s ready to grant it.

An additional detail on notice: if you need to link out to additional notice provisions (like privacy notices), you can do so using hyperlinks in forms. Once Ana submits her information, we will store a copy of the notice that Ana was provided, information about which consent she provided, and the timestamp of the interaction.

We’ll make this level of consent tracking available for other forms of contact creation as well: imports, APIs, and manual additions.

Alongside that change, the HubSpot subscription preferences page will be updated to support the needs of the GDPR. Currently the subscription preferences page allows Ana to opt out of different types of communications. This page will be updated to support opt-in preferences.

Ana needs the ability (as data subject) to see what she’s signed up for, and withdraw her consent (or object to how you’re processing her data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.

What HubSpot is Building

In HubSpot, Ana can withdraw her consent from your subscription preferences page. Once the above changes on consent are made, that page will reflect her affirmative opt-in for each type of communication. On your subscription preferences page, she can easily withdraw that consent. Alternatively, if you receive a withdrawal of consent directly from Ana, you will be able to modify the lawful basis contact property we mentioned above.

In addition, all 1:1 email sent via Sales Hub will be updated to allow the inclusion of unsubscribe links (including messages sent using Sequences).

Ana needs to be given notice that you're using cookies to track her (in language she can understand) and needs to consent to being tracked by cookies.

*** We know the ePrivacy Regulation is coming, and that it may have an impact on how cookies are regulated. We’ll adjust our product accordingly.

What HubSpot is Building

We'll update the default language for enabling cookies on HubSpot-hosted websites to reflect affirmative opt-ins, and make it possible to show different versions of the cookie consent message based on domains or specific URL paths that you specify.

Ana has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent removal of Ana’s contact from your database, including email tracking history, call records, form submissions and more.

In many cases, you’ll need to respond to her request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.

What HubSpot is Building

You will be able to perform a GDPR-compliant permanent delete in your HubSpot portal.

Just as she can request that you delete her data, Ana can request access to the personal data you have about her. Personal data is anything identifiable, like her name and email address. If she requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).

Ana can also request to see and verify the lawfulness of processing (see above).

What HubSpot is Building

HubSpot enables you to grant any access/portability request by easily exporting Ana’s contact record into a machine-readable format. Engagement data like tasks, notes, and calls that aren’t provided in the contact record export can be accessed using the CRM engagements API.

You can verify Ana’s lawfulness of processing using the associated contact property we mentioned above.

Just as she can request to delete or access her data, Ana can ask your company to modify her personal data if it’s inaccurate or incomplete. If and when she does, you need to be able to accommodate that modification request.

What HubSpot is Building

In HubSpot, if Ana asks you to change her information, you (or your portal admin) can do so from within her contact record.

Currently Available

Security Measures

What it Means

The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymization.

What HubSpot is Building

As part of HubSpot's approach to the GDPR, we’re strengthening our security controls across the board.

In addition to industry standard practices around encryption, HubSpot's infrastructure teams are also improving our systems for authentication, authorization, and auditing at a massive scale to better protect our customer's data.We will provide additional details on these security measures as they are implemented here.

Complete

Want to be notified whenever we update the roadmap?

We'll be updating timelines and adding documentation to this page between now and the deadline (and beyond).

Turning the GDPR from an Obstacle into an Opportunity

Now that we've gotten product specifics out of the way, a quick word on our mindset towards the GDPR, as marketers.

When a new set of rules is first introduced, our first reaction is often fear. Fear of compliance, of punishment, of red tape.

But here’s the thing: all of the recent data protection laws, from CAN-SPAM to CASL to the GDPR and beyond, are built for a simple reason: to provide better experiences for our customers and the people who trust us with their data.

In that way, they’re perfectly aligned with the concept of Inbound. Be relevant, be helpful, be transparent, and you’ll be on your way to compliance. Be spammy, interruptive, aggressive, and you’ll be in trouble.

Complying with the GDPR will require effort, and that effort may lead to stress between now and deadline day. But, at the end of the day, if the GDPR makes your customers’ lives better, it’ll grow your business as a result.

Here are a few big business benefits to think about, as you work through the process over the next few months:

• The GDPR has specific rules about enabling your contacts to specify exactly what they want to receive from you. This makes total sense from a business perspective. Don’t send to contacts that don’t want to hear from you, and make sure the ones that do get to choose what they want. Tangibly, this will lead to fewer unsubscribes and better deliverability.

• The GDPR requires increased transparency around data collection and processing. In legal language, that’s the “right to access” and “portability,” which mean your contacts can demand a copy of their data in a common format. In other words, your contacts should be able to ask you what they’re signed up for, and receive a quick, accurate, and easy-to-digest answer. When it comes down to it, not so crazy, right? Transparency breeds trust, plain and simple.

• The GDPR requires that you give your contacts the “right to be forgotten.” They can request that you delete them from your database. Not only will that satisfy the specific contact in question; it’ll ensure that you’re not wasting your time trying to market and sell to people that have no interest in your product or service. That means more time to focus on your best prospects and customers.

• Perhaps most importantly, the GDPR requires lawful basis for processing. In other words, you need a legal reason to use a contact’s data, like consent or legitimate interest. That’s bad news if you’re purchasing lists: not only is this not allowed under the HubSpot Acceptable Use Policy, but now it’s also not permitted under the GDPR. That may sound painful in the short term, but it’s good news for your company in the long run. Think about it. Who’s more likely to buy from you: a set of email addresses scraped off the internet who may or may not have ever heard of you, or a set of engaged contacts already interested in your product or service? We’ll take our chances with option two. Making sure you have established a lawful basis will lead to a more engaged list, better email deliverability, and fewer annoyed contacts.

For many companies --- HubSpot included --- GDPR compliance is stressful and work-heavy. But, as you work through those long hours reading through the GDPR and building out your process, don’t forget the purpose behind the law: to provide better, more secure, more transparent experiences for our customers.

When your customers win, you win too.

FAQ

We've answered some of the questions we've heard most often below.

Does the GDPR apply to me?

The GDPR applies to businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

Does the GDPR require personal data be stored in the EU? What does HubSpot do to ensure lawful data transfers from the EU?

No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU remain largely unchanged. The GDPR permits transfers of personal data outside of the EU subject to certain conditions. The EU-U.S. Privacy Shield continues to be one valid way to ensure adequate safeguards are in place for personal data transfer from the EU to the U.S. The EU model clauses also remain a valid mechanism to lawfully transfer personal data. HubSpot offers a Data Processing Agreement that incorporates the model clauses to our EU/EEA customers. We are also Privacy Shield certified.

I have contacts in my database that I don't have specific opt-in records for. Do I need to delete them?

At the end of the day, that's up to you and your legal team.A quick note to think about, though: just because you don't have record of opt-in doesn't mean you don't have lawful basis to process a contact record. Lawful basis comes in multiple forms:• Necessary for performance of a contract. Example: if Ana buys products from you, you can send her emails related to onboarding, billing, etc.• Legitimate interest. In the above example, you could email Ana about related products or services.• Consent (with notice). Freely given, affirmative, opt-in consent accompanied with transparent explanation of your purpose for acquiring/using the data. Pro tip: If you’ve lost track of the opt-in status of your contacts or never confirmed opt-in, you can run a permission pass campaign to remove any unconfirmed contacts from future sends.A permission pass campaign is a one-time email campaign that requests any contacts who haven’t already used some form of opt-in to confirm that they would still like to receive emails from you. Only the contacts who confirm their subscription status are then kept on your list. Those who don’t confirm will then be opted out of your marketing emails in HubSpot. The result is a highly engaged list of contacts who have proven that they want to continue receiving marketing emails from your company.You can find instructions on sending a permission pass campaign in this help document.

Does HubSpot comply with the right to erasure (right to be forgotten)?

Yes. When one of your contacts (i.e. data subjects) asks you to delete them from your records, you'll have the ability to do so quickly and easily. By May 25th, you'll be able to execute a GDPR-compliant delete, which will remove every trace of the contact from your system, permanently.

Will double-opt-in be mandatory?

For those unfamiliar with this term, "double-opt-in" is a 2-step mechanism where a person must confirm their email address after initially signing up. The GDPR does not require double-opt in (though certain countries may make this mandatory). It’s worth noting that subscribers to the HubSpot service may already choose to enable double-opt-in functionality in their portals as an additional protective measure in proving they obtained the required consent.

What else is HubSpot doing to prepare customers and partners for the GDPR?

In the past few months, we've created a slew of resources that go over the basics of the GDPR:

• GDPR glossary. The GDPR was written by lawyers, so it should come as no surprise that it's got a good bit of legal jargon sprinkled in. Don't worry, our glossary will help you understand the most important definitions.